[Sugar-devel] [PATCH sugar 0/2] Escape user data and translations in markup
dsd at laptop.org
Mon Jun 27 07:24:14 EDT 2011
On 26 June 2011 19:06, Sascha Silbe <silbe at activitycentral.com> wrote:
> While chasing down a similar bug in the Clock Frame device, I noticed that
> we're lacking the necessary escaping in most of Sugar. See SL#2099 for an
> example of what can happen if we don't.
> This patch series only covers Palette primary/secondary text and MenuItem
> labels. There's a good chance text passed to other widgets needs to be escaped
> as well.
This looks like it will be easily overlooked in the future as well.
Wouldn't it make more sense to modify the standard Palette and
MenuItem APIs so that they don't accept markup, and add a second API
for markup users? I imagine that there are only a handful of users
that actually want markup here.
More information about the Sugar-devel